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THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 
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earned patent term adjustment. See 37 CFR 1.704(b). 
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1)[x] Responsive to communication(s) filed on 14 October 2004 . 
2a)D This action is FINAL. 2b)[3 This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 
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4) I3 Claim(s) 1-45 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) ^ Claim(s) 44 is/are allowed. 

6) ^3 Claim(s) 1-28, 30-43 and 45 is/are rejected. 

7) H3 Claim(s) 29 is/are objected to. j 

8) D Claim(s) are subject to restriction and/or election requirement. 
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9) D The specification is objected to by the Examiner. 
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DETAILED ACTION 



1. 



Claims 1-45 are pending in the application. 



2. 



Claims 1-28, 30-43 and 45 have been rejected. 



3. 



Claims 1-29 has been objected to. 



Response to Arguments 



4. Applicant's arguments with respect to claims 1-45 have been considered but are moot in view 
of the new ground(s) of rejection. 



The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in a patent granted on an application for patent by another filed in the United 
States before the invention thereof by the applicant for patent, or on an international application by another who 
has fulfilled the requirements of paragraphs (1), (2), and (4) of section 371(c) of this title before the invention 
thereof by the applicant for patent. 

The changes made to 35 U.S.C. 102(e) by the American Inventors Protection Act of 1999 
(AIPA) and the Intellectual Property and High Technology Technical Amendments Act of 2002 
do not apply when the reference is a U.S. patent resulting directly or indirectly from an 
international application filed before November 29, 2000. Therefore, the prior art date of the 
reference is determined under 35 U.S.C. 102(e) prior to thfe amendment by the AIPA (pre-AIPA 
35 U.S.C. 102(e)). 

5, Claims 1-5, 8-20, 23-28, 30, 33, 34 and 39-45 are rejected under 35 U.S.C. 102(e) as being 
anticipated by Hsieh U.S. Patent No. 5,925,126. 

As to claims 1,13 and 39, Hsieh discloses a method of examining a network, including: 



Claim Rejections - 35 JJSC §102 
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identifying an operating system of a remote host, including a version and a 

patch level of the operating system [column 5, lines 46-67]; 

identifying a service of the remote host, including a version and a patch 

level of the service [column 6 line 66 to column 7 line 25]; 

identifying a vulnerability of the network based on information obtained 

from the steps of identifying an operating system and identifying a service 

[column 6 line 66 to column 7 line 25]. 
As to claims 2, 12, 17 and 45, Hsieh discloses that the step of identifying an operating 
system includes sending a first set of packets to the remote host and receiving a second set of 
packets from the remote host in response to the first set of packets [column 5, lines 28-67]. 
Hsieh discloses analyzing the second set of packets for inferential information indicative of the 
operating system. Hsieh discloses that the step of identifying a service includes sending a third 
set of packets to the remote host and receiving a fourth set of packets from the remote host in 
response to the third set of packets [column 5, lines 28-67].. Hsieh discloses that the information 
contained in the third set of packets is based on information received in the second set of packets. 
Hsieh discloses analyzing the fourth set of packets for inferential information indicative of the 
service [column 5, lines 28-67].. Hsieh discloses that the step of identifying a vulnerability 
includes comparing information contained in the second set of packets and the fourth set of 
packets to preexisting vulnerability information in a database [column 6 line 66 to column 7 line 
25]. 
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As to claim 3, Hsieh suggests that the step of identifying an operating system includes 
sending three sets of packets to the remote host and receiving three respective sets of responsive 
packets from the remote host [column 6 line 66 to column 7 line 25]. 

As to claim 4, Hsieh discloses a method of examining a network, including: 

nonintrusively and reliably identifying an operating system of a remote 
host including identifying a version of the operating system based on inferential 
information received from the remote host [column 5, lines 46-67]; 

nonintrusively and reliably identifying a service of the remote host 
including identifying a version of the service based on inferential information 
received from the remote host [column 5, lines 46-67]. 
As to claim 5, Hsieh discloses identifying a vulnerability of the network, as discussed 

above. 

As to claim 8, Hsieh discloses identifying security policy violations on the network 
[column 6, lines 49-65], 

As to claim 9, Hsieh discloses the step of identifying an operating system further includes 
identifying a patch level of the operating system. Hsieh discloses the step of identifying a 
service further includes identifying a patch level of the service, as discussed above. 

As to claim 10, Hsieh discloses sending a selected packet to the remote host. Hsieh 
discloses receiving from the remote host a reflexive responsive packet [column 7 line 49 to 
column 8 line 4], 
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As to claim 11, Hsieh discloses sending a plurality of selected packets to the remote host. 
Hsieh discloses receiving from the remote host a plurality of reflexive responsive packets 
[column 7 line 49 to column 8 line 4]. 

As to claim 14, Hsieh discloses that the step of identifying a vulnerability includes using 
information obtained from the steps of identifying an operating system and identifying a service 
to identify the vulnerability, as discussed above. 

As to claim 15, Hsieh discloses that the step of identifying an operating system further 
includes identifying a patch level of the operating system, as discussed above. Hsieh discloses 
that the step of identifying a service includes identifying a patch level of the service, as discussed 
above. 

As to claim 16, Hsieh discloses sending a selected packet to the remote host. Hsieh 
discloses receiving from the remote host a reflexive responsive packet, as discussed above. 

As to claim 18, Hsieh suggests that the information contained in the third set of packets is 
based on information received in the second set of packets. Hsieh suggests that the information 
contained in the fifth set of packets is based on information received in the fourth set of packets 
[column 7, lines 37-65]. 

As to claim 19, Hsieh discloses a method of examining a network, including: 

sending a set of selected packets to a remote host on the network [column 
6 line 66 to column 7 line 25]; 

receiving from the remote host a set of reflexive responsive packets 
[column 6 line 66 to column 7 line 25]; 
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identifying conditions of the remote host by using inferential information 
received in the reflexive responsive packets, wherein the conditions include an 
operating system of the host, and a service of the host [column 7, lines 37-65]. 

As to claim 20, Hsieh discloses that the conditions further include a vulnerability of the 
host, as discussed above. 

As to claim 23, Hsieh discloses that identifying an operating system includes identifying 
a version, as discussed above. Hsieh discloses that identifying a service includes identifying a 
version, as discussed above. 

As to claim 24, Hsieh discloses that identifying an operating system includes identifying 
a version and a patch level, as discussed above. Hsieh discloses that identifying a service 
includes identifying a version and a patch level, as discussed above. 

As to claim 25, Hsieh discloses that the step of sending a set of selected packets to a host 
on the network includes sending a plurality of sets of packets to the host. Hsieh discloses that 
the step of receiving from the remote host a set of reflexive responsive packets includes 
receiving a like plurality of sets of reflexive responsive packets [column 5, lines 46-67]. 

As to claims 26, 40 and 41, Hsieh discloses a method of detecting a vulnerability of a 
network, comprising: 

sending a first set of test packets to a remote host on the network, as 
discussed above; 

receiving a first set of reflexive packets from the remote host in response 
to the first set of test packets, as discussed above; 
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sending a second set of test packets to the remote host on the network, 
wherein information contained in the first set of test packets is based on 
inferential information contained in the first set of reflexive packets, as discussed 
above; 

receiving a second set of reflexive packets from the remote host in 
response to the second set of test packets, as discussed above; 

based on inferential information contained in the first set of reflexive 
packets, identifying an operating system of the remote host, including a version 
and a patch level , as discussed above; and 

based on inferential information contained in the second set of reflexive 
packets, identifying a service of the remote host, including a version and a patch 
level , as discussed above. > 
As to claim 27, Hsieh discloses sending a seventh set of selected packets to a host on the 
network. Hsieh discloses receiving an eighth set of packets from the remote host in response to 
the seventh set of packets. Hsieh discloses sending a ninth set of selected packets to a host on 
the network. Hsieh discloses receiving a tenth set of packets from the remote host in response to 
the ninth set of packets. Hsieh discloses that based on information contained in the eight and 
tenth sets of packets, identifying a service of a host on the network, including a version and a 
patch level [column 7, lines 37-65], 

As to claim 28, Hsieh discloses that based on information contained in at least the tenth 
sequence, identifying a vulnerability [column 6, lines 49-65]. 

As to claim 30, Hsieh discloses a method of examining a network, comprising: 
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sending a plurality of packets to a host on the network, as discussed above; 
receiving a responsive plurality of packets from the host, as discussed 

above; 

comparing inferential information in the responsive packets to information 
stored in a database; 

based on the comparison, identifying a plurality of network conditions, 
including a vulnerability of the network [column 6, lines 49-65], 
As to claim 33, Hsieh discloses a method of examining a network, comprising: 

sending packets to a host on the network, as discussed above; 

receiving a responsive packets from the host, as discussed above; 

comparing inferential information in the responsive packets to information 
stored in a database, as discussed above; and 

based on the comparison, inferring an unknown vulnerability [column 6, 
lines 49-65]. 

As to claim 34, Hsieh discloses a method of examining a network, comprising: 

sending packets to a host on the network, as discussed above; 

receiving responsive packets from the host, as discussed above; 

comparing inferential information in the responsive packets to information 
stored in a database, as discussed above; and 

based on the comparison, identifying a security policy violation [column 
6, lines 49-65]. 
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As to claim 42, Hsieh discloses receiving a set of selected packets from remote 
equipment, as discussed above. Hsieh discloses automatically sending a second set of packets to 
the remote equipment, which packets include information that enables the remote equipment to 
identify a vulnerability on the network, as discussed above 

As to claim 43, Hsieh discloses a method for use by a host on a network, comprising: 

receiving a first set of test packets from remote equipment, as discussed 

above; 

automatically sending a first set of reflexive packets to the remote 
equipment, the first set of reflexive packets containing information generated 
according to a Request for Comment (RFC) protocol and indicative of an 
operating system, including a version and patch level [column 5, lines 27-67]; 

receiving a first test packet from the remote equipment as discussed 

above; 

automatically sending a second set of reflexive packets to the remote 
equipment, the second set of reflexive packets containing information generated 
according to a Request For Comment (RFC) protocol and indicative of a service, 
including a version and patch level [column 6, lines 1-18]; 

wherein the first set of reflexive packets includes information that 
enables the remote equipment to identify the operating system on the host 
information that enables the remote equipment: to identify a service, including a 
version and a patch level [column 6, lines 1-18]; 
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wherein the second set of reflexive packets includes information that 
enables the remote equipment to identify the service on the host, including a 
version and a patch level [column 6, lines 1-18]. 
6. Claims 31, 35, 36 and 38 are rejected under 35 U.S.C 102(e) as being anticipated by 
Arnold et al U.S. Patent No. 5,440,723. 

As to claim 31, Arnold et al discloses a method of examining a network, comprising: 

sending packets to a host on the network [column 4 line 61 to column 5 
line 16]; 

receiving responsive packets from the host [column 4 line 61 to column 5 
line 16]; 

comparing inferential information in the responsive packets to information 
stored in a database [column 4 line 61 to column 5 line 16]; and 

based on the comparison, identifying a Trojan application on the network 
[column 4 line 61 to column 5 line 16], 
As to claim 35, Arnold et al discloses a system for examining a network, comprising: 

database including a set of reflex signatures [column 5, lines 29-46]; 

a packet generator [column 5, lines 29-46]; 

a comparison unit in communication with the packet generator and the 
database [column 7, lines 11-33]; 

wherein the packet generator is designed to generate and transmit a 
plurality of test packets to the network [column 7, lines 1 1-33]; 
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wherein the comparison unit is designed to receive responsive packets 
from the network and to compare inferential information from the reflex 
signatures [column 7, lines 11-33]. 
As to claim 36, Arnold et al discloses that the comparison unit is further designed to 
identify a vulnerability in the network based on its comparison of packet information with reflex 
signatures [column 4 line 61 to column 5 line 16]. 

As to claim 38, Arnold et al discloses that the comparison unit is designed to provide 
information to the packet generator, and wherein the packet generator is designed to use the 
information to selectively generate packets [column 5, lines 29-46], 

7. Claim 32 is rejected under 35 U.S.C. 102(e) as being anticipated by Diersch et al U.S. 
Patent No. 6,101,606. 

As to claim 32, Diersch et al discloses a method of examining a network, comprising: 
sending packets to a host on the network [column 5, lines 1 1-65]; 
receiving responsive packets from the host [column 5, lines 1 1-65]; 
comparing inferential information in the responsive packets to information 
stored in a database [column 5, lines 1 1-65]; and 

based on the comparison, identifying unauthorized software use on the 
network [column 5, lines 11-65]. 

Claim Rejections - 35 USC § 103 
The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
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having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

8. Claims 6 and 22 are rejected under 35 U.S.C. 103(a) as being unpatentable over Hsieh 
U.S. Patent No. 5,925,126 as applied to claim 1 above, and further in view of Drake U.S. 
Patent No. 6,006,328. 

As to claims 6 and 22, Hsieh does not teach identifying a Trojan application on the host. 
Drake teaches identifying a Trojan application on the host [column 1 line 56 to column 2 

line 2]. 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to have modified Hsieh so that when the operating system is being 
identified that a Trojan application on the host was also identified. 

It would have been obvious to a person having ordinary skill in the art at the time the 
invention was made to have modified Hsieh by the teaching of Drake because it prevents 
eavesdropping, prevents disassembly and examination, detects tampering, prevents execution- 
tracing and ensures authenticity [column 5, lines 3-14]. 

9. Claims 7 and 21 are rejected under 35 U.S.C. 103(a) as being unpatentable over Hsieh 
U.S. Patent No. 5,925,126 as applied to claim 1 above, and further in view of Hornbuckle 
U.S. Patent No. 5,388,211. 

As to claims 7 and 21, Hsieh does not teach identifying unauthorized software use on the 

host. 

Hornbuckle teaches identifying unauthorized software use on the host [column 3, lines 6- 

63]. 
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Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to have modified Hsieh so that when the operating system is being 
identified that unauthorized software use was also identified on the host. 

It would have been obvious to a person having ordinary skill in the art at the time the 
invention was made to have modified Hsieh by the teaching of Hornbuckle because it prevents 
theft, copying, vandalism or modification [column 3, lines 6-15]. 

10. Claim 37 is rejected under 35 U.S.C. 103(a) as being unpatentable over Arnold et al 
U.S. Patent No. 5,440,723 as applied to claim 35 above, and further in view of Hsieh U.S. 
Patent No. 5,925,126, 

As to claim 37, Arnold et al does not teach that the comparison unit is further designed to 
identify an operating system type, version, and patch level and a service type, version, and patch 
level of a host on the network. 

Hsieh teaches a comparison unit that is designed to identify an operating system type, 
version, and patch level and a service type, version, and patch level of a host on the network, as 
discussed above. 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to have modified Arnold et al so that the comparison unit would 
have identified an operating system type, version, and patch level and a service type, version, 
and patch level of a host on the network. 

It would have been obvious to a person having ordinary skill in the art at the time the 
invention was made to have modified Arnold et al by the teaching of Hsieh because the examiner 
asserts that certain versions of some operating system are known to have known vulnerabilities 
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as well as service types and patch levels. Therefore, it would be necessary to check these 
elements on a host to prevent exploitations on these known vulnerabilities. 

Claim Objections 

11. Claim 29 is objected to as being dependent upon a rejected base claim, but would be 
allowable if rewritten in independent form including all of the limitations of the base claim 
and any intervening claims. 

As to claim 29, prior art des not teach a first set of packets that includes: a SYN Packet 
with false flag in the TCP option header; a Fragmented UDP packet with malformed header (any 
header inconsistency is sufficient), where the packet is 8K in size; a FIN Packets of a selected 
variable size or a FIN packet without the ACK or SYN flag properly set; and a generic, 
well-formed ICMP ECHO request packet. Prior art does not teach a third set of packets 
includes: a generic well-formed TCP Header set to 1024 bytes in size; a packet requesting an 
ICMP Timestamp; a packet with min/max segment size set to a selected variable value; and a 
UDP packet with the fragment bit set. Prior art does not teach a fifth set of packets includes: a 
TCP Packet with the header and options set incorrectly; a well-formed ICN11P Packet; a 
Fragmented TCP or UDP packet; a packet with an empty TCP window or a window set to zero; a 
generic TCP Packet with 8K of random data; and a SYN Packet with ACK and RST flags set. 

Allowable Subject Matter 

12. Claim 44 is allowed. 

As to claim 44, prior art does not disclose or fairly suggest that the first set of packets 
comprises an operating system packet to determine the operating system. Prior art does not 
disclose or fairly suggest an operating system version packet to determine the operating system 
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version based on the determined operating system. Prior art does not disclose or fairly suggest 
an operating system patch level packet to determine the operating system patch level based on 
the determined operating system version. Prior art does not disclose or fairly suggest identifying 
a service of the remote host that includes a version and a patch level of the service with a second 
set of packets based on at least one of the first set off packets. Prior art does not disclose or 
fairly suggest that the first set of packets comprising a service packet to determine the service. 
Prior art does not disclose or fairly suggest service version packet to determine the service 
version based on the determined service. Prior art does not disclose or fairly suggest a service 
patch level packet to determine the service patch level based on the determined service version. 
Prior art does not disclose or fairly suggest identifying a vulnerability of the network based on 
information obtained from the steps of identifying an operating system and identifying a service. 
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Conclusion 



13. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Aravind K Moorthy whose telephone number is 571-272-3793. 
The examiner can normally be reached on Monday-Friday, 8:00-5:30. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz R Sheikh can be reached on 571-272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 



Aravind K Moorthy 
January 21, 2005 




